AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)

(1)

PUBLIC INFORMATION

Implementing Security In Integrated Architecture

Practical security solutions for Industrial Control System (ICS)

Clive Barwise, Rockwell Automation

European Product Manager Networks and Security

9 th

_{and 10}

th

_{September 2014}

(2)

Agenda

Conclusion

Remote Access

Defense in Depth

Trends in Security of Industrial Control Systems

(3)

Cyber Security in the News?

(4)

(5)

Recently reported by customer



New Havex malware variants target industrial control system and SCADA

users



During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program

called Havex by hacking into the websites of industrial control system (ICS) manufacturers and poisoning

their legitimate software downloads



F-Secure did not name the affected vendors, but said that two of them develop ICS remote management

software and the third supplies high-precision industrial cameras and related software. According to the

security firm, the vendors are based in Germany, Switzerland and Belgium.



The attackers modified the legitimate software installers to drop and execute an additional file on

computers. The file is called mbcheck.dll and is actually the Havex malware.



That conclusion is also supported by the existence of a new malicious Havex component whose purpose

is to scan local area networks for devices that respond to OPC (Open Platform Communications)

requests.



The Havex component leverages the OPC standard to gather information about industrial control devices

and then sends that information back to its command-and-control (C&C) server for the attackers to

analyze, the F-Secure researchers said. “It appears that this component is used as a tool for intelligence

gathering. So far, we have not seen any payloads that attempt to control the connected hardware.”

5

Following the discovery of the

Stuxnet

industrial sabotage malware in 2010, which

is believed to have destroyed up to 1,000

uranium enrichment centrifuges in Iran,

security

researchers sounded the alarm

about the insecurity of industrial control

systems and the ease with which they can

be targeted by attackers. Despite those

concerns,

widespread malware attacks

against ICS and SCADA systems never

became a reality

, making the new Havex

campaigns a rare occurrence,

but possibly

(6)

Security – Why is it so critical now?

Source: ARC Survey of Control System Engineers 2009

Industrial Control Systems are part of the

Enterprise and no longer islands of automation.

“

Nearly 65% of facilities allow

remote access to their control

systems.”

Source: 2011 Annual Report on Cyber Security Incidents And Trends Affecting Industrial Control Systems.

(7)

It is becoming the LAW

7

(8)

(9)

What is Industrial Cyber Security Risk

Management?



Reduce risks

associated with

unintended or malicious actions



Improve ability to

be free from

danger, injury or loss



Enhance protection

of key assets

from disruption, loss or damage



Protect & limit

potential exposure or damage to key assets

9

The use of proven

technologies, policies &

procedures to…

RISK =

Threat × Vulnerability × Consequence

(10)

Rockwell Automation

Focus on Industrial Cyber Security

Reduce risks to safe and reliable operation

…Control system architecture with layered security to

help maintain operational integrity under threat

Protect assets & information

…Product and system features to help

control access, tamper-proof and limit

information exposure

Network

IP

protection

Data Protection

and Confidentiality

Anti-Tamper and Detection Remote Access Data Protection

Role-based

Security

S

u

p

ly

-c

h

a

in

P

a

rt

n

e

rs

Government and Standards Alignment

…Responsible disclosure with control system solutions that follow

(11)

Industrial Network Security Trends

Established Industrial Security Standards



International Society of Automation



ISO/IEC-62443 (Formerly ISA-99)



Industrial Automation and Control Systems (IACS) Security



Defense-in-Depth



IDMZ Deployment



National Institute of Standards and Technology



NIST 800-82



Industrial Control System (ICS) Security



Defense-in-Depth



IDMZ Deployment



Department of Homeland Security / Idaho National Lab



DHS INL/EXT-06-11478



Control Systems Cyber Security: Defense-in-Depth Strategies



Defense-in-Depth

(12)

Collaboration of Partners

The Established

#1 Industrial Ethernet

Physical Layer Network Infrastructure

Wireless, Security,

Switching/Routing

Leader in

Industrial Network

Infrastructure

Reduce Risk

Simplify Design

Speed Deployment

(13)

Defense-in-Depth

13



No single product, technology or

methodology can fully secure Industrial

Automation and Control System (IACS)

applications.



Protecting IACS assets requires a

defense-in-depth security approach,

which addresses internal and external

security threats.



This approach utilizes multiple layers of

defense (physical, procedural and

(14)

(15)

Agenda

Conclusion

Remote Access

Defense in Depth

Trends in Security of Industrial Control Systems

(16)

Defense-in-Depth

Industrial Security Policies Drive Technical Controls



Physical – limit physical access to authorized personnel Cells/Areas, control panels,

devices, cabling, and control room



Network – security framework

– e.g. firewall policies, access control list (ACL)

policies for switches and routers, AAA, intrusion

detection and prevention systems (IDS/IPS)



Computer Hardening – patch management,

Anti-X software, removal of unused applications/

protocols/services, closing unnecessary

logical ports, protecting physical ports



Application – authentication, authorization, and

accounting (AAA) software



Device Hardening – change management,

(17)

Defense-in-Depth

Computer Hardening - Examples



Security Patch Management: establish and document a security patch management

program for tracking, evaluating, testing, and installing applicable cyber security software

patches



Keep computers up-to-date on service packs and hot fixes



Disable automatic updates



Check software vendor website



Test patches before implementing



Schedule patching during downtime



Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection

software



Disable automatic updates and automatic scanning



Test definition updates before implementing



Schedule manually initiated scanning during downtime



Uninstall unused Windows components



Protocols and Services



Protect unused or infrequently used USB, parallel or serial interfaces

(18)

Computer Hardening –

Examples Software Restriction Policies (SRP)



Software Restriction Policies (SRP) is Group Policy-based feature that identifies

software programs running on computers in a domain, and controls the ability of those

programs to run. Software restriction policies are part of the Microsoft security and

management strategy to assist enterprises in increasing the reliability, integrity, and

manageability of their computers.



You can also use software restriction policies to create a highly restricted configuration for

computers, in which you allow only specifically identified applications to run.



Software restriction policies are integrated with Microsoft Active Directory and Group

Policy.



You can define these policies through the Software Restriction Policies extension of the

Local Group Policy Editor or the Local Security Policies snap-in to the Microsoft

(19)

Computer Hardening – Examples

(20)

Computer Hardening – Examples

Registry Setting to Disable USB

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

(21)

Network Security Framework

Physical Port Security

21



Keyed solutions for

copper and fiber



Lock-in, Blockout

products secure

connections



Data Access Port

(22)

Security Quality

Product Design Approach

Develop

(23)

Security Quality

Product Resiliency & Robustness (R&R) Testing



Key part of our Industrial Security Team



Help reduce customer risk



Critical to our Industrial Security Goals



Identify weaknesses and vulnerabilities



Improve product resiliency & robustness



Evaluation of all company products



Leveraging ISA Security Compliance Institute

(ISCI) approved tools and test suites



Achilles test tool & “Level-2” test suite fulfills technical aspects

of ISA-99 and IEC-62443 standard for ICS cyber security



Evaluates resiliency of Ethernet protocol suite



Results provide concrete facts about product resiliency to

(24)

Defense-in-Depth

Controller Hardening - Examples



Electronic design – Firmware Digital Signatures

• Purpose of digital signature

– Protect firmware from accidental

and malicious corruption

– Ensure firmware was generated by

Rockwell Automation

How they’re being introduced…

• ControlLogix L7x and V18 SoftLogix firmware is

“digitally signed”

• More devices will have signed firmware in the

future – ControlFlash itself may check the

signature

How they work…

• Rockwell Automation digitally signs firmware kits

with a private key when they are released

• Devices locally check the signature with a

corresponding public key

(25)

25 Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Controller Security Tools

Turn the Switch

Lock the Program

Protect the Source

(26)

Tools for a Secure Application

Controller Change Detection



Every Logix PAC™ exposes a Change Detection Audit Value



When something happens that can impact the behavior of the controller, the value changes



Audit Value is available in RSLogix™ 5000 and Studio 5000 Logix Designer™, in other

software applications and in other controllers via a message instruction

(27)

Defense-in-Depth

Controller Hardening - Examples



Electronic design - Logix Controller Data Access Control



Users can assign External Access settings of Read/Write, Read Only, or None to tags



Useful to control which tags can be modified from an HMI or other external application



A cryptographically licensed trusted connection is established between RSLogix 5000 and

the Logix controller



Ensures tags designated as Read-Only or None can only by changed by RSLogix 5000



Users can also define tags as Constants.



Constants can not be modified by controller logic

Funda mental 27

Improves

security of tags

especially when used

in conjunction with

(28)

(29)

Tools for a Secure Application

FactoryTalk Security

Use FactoryTalk Security to…

Manage the insider threat by

authenticating

the user and

authorizing

the use of

Rockwell Automation software applications to access automation devices

How does it work?

Provides a

centralized authority

to

verify identity

of each user and

grants or deny user's

requests

to perform a particular set of actions on resources within the system.

• Authenticate the User

• Authorize Use of Applications

• Authorize Access to Specific Devices

FactoryTalk Directory

(All FactoryTalk Security

enabled software)

(30)

The Purdue Model and Rockwell Automation



Rockwell Automation and CISCO Systems have defined a

(31)

Network Security Framework

Industrial Demilitarized Zone

31

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control

Sensors Drives Actuators Robots

Enterprise

Security

Zone

Industrial

DMZ

Industrial

Security

Zone

Cell/Area

Zone

Web

E-Mail

CIP

Firewall Firewall Site Operations and Control Area Supervisory Control Basic Control Process

Logical Model – Industrial Automation and Control System (IACS)

Converged Multi-discipline Industrial Network

(32)

(33)

Segmentation

Structure and Hierarchy

- Logical Framework

• The Cell/Area zone is a Layer 2 network for a functional area of the plant floor.

Key network considerations include:

–

Structure and hierarchy using smaller Layer 2 building blocks

–

Logical segmentation for traffic management and policy enforcement (e.g. QoS, Security) to

accommodate time-sensitive applications

Levels 0–2

Level 1

Controller

Layer 3

Distribution

Switch

Drive

Controller

HMI

I/O

Cell/Area Zones

Rockwell Automation

Stratix 8000

Layer 2 Access Switch

Catalyst 3750

StackWise

Switch Stack

Level 0

Drive

Level 2 HMI

Layer 2

Access Switch

Media &

Connectors

Cell/Area Zone #1

Redundant Star Topology

Flex Links Resiliency

Cell/Area Zone #2

Ring Topology

Resilient Ethernet Protocol (REP)

Cell/Area Zone #3

Bus/Star Topology

I/O

Drive

Controller

HMI

Layer 2

Building Block

VLAN 102

VLAN 102 Traffic

stays in this block

Layer 2

Building Block

VLAN 103

VLAN 103 Traffic

stays in this block

Layer 2

Building Block

VLAN 104

VLAN 104 Traffic

stays in this block

Layer 3 Inter VLAN Routing

Building Block

(34)

Network Security Framework

VLANs, Segmenting Domains of Trust

Plant-wide IACS

VLAN 10

IP Subnet 192.168.1.0/24

Stratix

8300

Ring

Stratix

8000

Stratix

8000

Plant-wide

IACS

Machine #1

OEM #1

Machine #2

OEM #2

Layer 2

Machine #1 (OEM #1)

VLAN 20

IP Subnet 10.20.20.0/24

Machine #2 (OEM #2)

VLAN 30

IP Subnet 172.16.30.0/24

Plant-wide IACS

VLAN 10

IP Subnet 192.168.1.0/24

Stratix

8300

Ring

Stratix

8000

Stratix

8000

Plant-wide

IACS

Machine #1

OEM #1

Machine #2

OEM #2

Layer 2

Layer 3

Structured and Hardened

IACS Network Infrastructure

Flat and Open

(35)



Structured and hardened network

infrastructure



Scalable framework utilizing holistic

defense-in-depth approach



Security is pervasive, not a

bolt-on component



Alignment with industrial security

standards (e.g. ISA, NIST)



Industrial security policy:

A-I-C vs. C-I-A



Industrial DMZ implementation



Remote partner access policy,

with robust & secure implementation

Network Security Framework

Cisco / Rockwell Automation Reference Architectures

Network Security Services

Must Not Compromise

Plant Operations

Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O

Physical or Virtualized Servers

• Patch Management

• Remote Gateway Services

• Application Mirror

• AV Server

Network Device Resiliency VLANs

Standard DMZ Design Best Practices

Network Infrastructure • Hardening

• Access Control

Physical Port Security

Level 0 - Process Level 1 - Controller

Plant Firewall:

 Inter-zone traffic segmentation

 ACLs, IPS and IDS

 VPN Services

 Portal and Remote Desktop Services proxy

VLANs, Segmenting Domains of Trust AAA – FactoryTalk

Authentication Server, Active Directory (AD),

Remote Access Server

OS Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

Drive

Level 2 – Area Supervisory Control

Controller Hardening, Electronic FactoryTalk Client Zone Firewall Controller Hardening, Encrypted Communications Controller AAA – Radius / ISE

Controller Hardening • Physical Security • Procedural

(36)

Network Security Framework

Unified Threat Management (UTM) – Stratix 5900



The Stratix 5900 UTM security

appliance is a ruggedized all-inclusive

UTM with features such as firewall,

secure routing, VPN (virtual private

network), intrusion prevention, NAT

(network address translation) and

content filtering.



Site-to-Site Connection, tunnels the

Industrial Zone trusted network to a

remote site over an untrusted network

using a site-to-site VPN connection.



Cell/Area Zone Firewall, to protect a

Cell/Area Zone from the greater

Industrial Zone.



Physical features



RJ-45 Gigabit WAN



4 – 10/100Base-Tx LAN ports



Shock /Vibration & Extended

Temperature



DIN rail mount

(37)

Network Security Framework

Unified Threat Management (UTM)

37

Enterprise-wide

Business Systems

Levels 4 & 5 – Data Center

Enterprise Zone

Level 3 - Site Operations Industrial Zone

Physical or Virtualized Servers

• FactoryTalk Application Servers & Services Platform

• Network Services – e.g. DNS, AD, DHCP, AAA

• Remote Access Server (RAS)

• Call Manager

• Storage Array

Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ

Remote Site #1

Local Cell/Area Zone #1

Local OEM Skid / Machine #1

(38)

Agenda

Conclusion

Remote Access

Defense in Depth

Trends in Security of Industrial Control Systems

(39)

Remote Access Best Practice



Application Requirements



Remote connection into the

Plant



Indirect access



Enterprise centric



IT involvement



Common IT Infrastructure



Following emerging Industrial

Automation and Control

System security standards



Defense-in-depth



DMZ



Strict Change Management

Requirements

FactoryTalk Application Servers

•View •Historian •AssetCentre •Transaction Manager FactoryTalk Services Platform •Directory •Security/Audit Data Servers Levels 0–2 Cell/Area Zones Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Industrial Zone Site Operations and Control

Level 3 Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Data Center Gbps Link Failover Detection Firewall (Active) Firewall (Standby) Patch Management Application Mirror AV Server

•Remote Desktop Services

•RSLogix 5000

•FactoryTalk View Studio Catalyst 6500/4500 Remote Engineer or Partner Enterprise Connected Engineer Enterprise Edge Firewall VPN Client Catalyst 3750 StackWise Switch Stack EtherNet/IP IP S E C V P N S S L V P N

(40)

Secure remote access for employees and

trusted partners



Meeting the security requirements of IT while

enabling plant personnel to leverage trusted

partners and shared, distributed company resources



Common IT Infrastructure



Following established Industrial Automation and

Control System (IACS) security standards



Defense-in-depth



DMZ



Enables remote asset management: monitoring,

configuration and audit



Helps simplify change management, version control,

regulatory compliance and software license

management



Helps simplify remote client

health management



One size does not fit all – need a scalable secure

solutions

Remote Desktop Gateway

Network and Security Services Implementation

FactoryTalk Application Servers

•View •Historian •AssetCentre •Transaction Manager FactoryTalk Services Platform •Directory •Security/Audit Data Servers Levels 0–2 Cell/Area Zones Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Industrial Zone Site Operations and Control

Level 3 Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Data Center Gbps Link Failover Detection Firewall (Standby) Firewall (Active) Patch Management Application Mirror AV Server

•Remote Desktop Services

•RSLogix 5000

•FactoryTalk View Studio Catalyst 6500/4500 Remote Engineer or Partner Enterprise Connected Engineer Enterprise Edge Firewall Generic VPN Client Remote Desktop Protocol (RDP) Catalyst 3750 StackWise Switch Stack EtherNet/IP IP S E C V P N

(41)

Agenda

Conclusion

Remote Access

Defense in Depth

Trends in Security of Industrial Control Systems

(42)



Scenario/Recognizing an Issue



An employee, or 3

rd

party, needs access to the control

system from a network outside the production zone to

assist in troubleshooting and maintenance



Good Solution



Stratix 5900



Better Solution



Good solution + expanded technical enforcement of the

security perimeter-using FactoryTalk Security



Best Solution



Better solution + expanded technical enforcement of the

security perimerter-though the implementation of Remote

Access Gateways with in an Industrial DMZ

Putting it Together

Secure Remote Access – Good, Better, Best

(43)

Unintended

employee

actions



Scenario/Recognizing an Issue



Contractor connecting to plant network to make

change or integrate new line- causes downtime

by introducing virus or unintentional configuration

changes



Good Solution



Detect unauthorized changes with change

detection audit value



Use managed switches to segment the

architecture with VLANs



Scan contractor devices



Better Solution



Good solution + Enforce VLAN access with

Access Control Lists



Best Solution



Better solution + limit access with FactoryTalk

Security with Security Authority Binding enabled

48

Putting it Together

Unintended Action Protection– Good, Better, Best

Risk/Threat

Lost $$$

Damage to product or assets

(44)



Align with Industrial Automation and Control System Security Standards



DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly

ISA-99)



Implement Defense-in-Depth approach: no single product, methodology,

nor technology fully secures IACS networks



Establish an open dialog between Industrial Automation and IT groups



Establish an industrial security policy



Establish an IDMZ between the Enterprise and Industrial Zones



Work with trusted partners knowledgeable in automation & security



"Good enough" security now, is better than "perfect" security ...never.

(Tom West, Data General)

IACS Security

(45)

What Can You Do Now to Mitigate Risk?

Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security